F5 Customer Edge Controlled Access Guidance

Objective

Depending on customer requirements for securing networked systems to meet organizational security policies and industry standards, F5 strongly recommends securing access mechanisms available on deployed F5 Distributed Cloud Customer Edge (CE) nodes.

Overview

Each of the following sections provides information regarding access security controls for various parts of the CE node configuration. Customers should evaluate each of the sections to determine if the specific configuration modification is appropriate for their respective environments.

Local access

F5 requires that customers modify passwords for F5 Distributed Cloud CE node management accounts from their default values. F5 also strongly recommends the use of SSH key pairs for all ongoing access to F5 Distributed Cloud CE node(s).

Disable local node services

Depending upon customer CE deployment configurations, customers may disable SSH/CE CLI or configuration utility/web UI, to achieve greater security control or mitigate threats. Within the Multi-Cloud Network Connect workspace under the Site Management section (main left navigation), local administrative service access can be individually disabled by type and VRF. The following highlights the menu navigation location for various CE Site types where SSH/CE CLI or configuration utility/web UI can be disabled:

• Customer Edges > Secure Mesh Sites v2: Node Local Services
• Legacy Site types:
  • Secure Mesh Site (legacy manual Site type): Advanced Configuration > Services to be blocked on site
  • Cloud service provider Site types (Azure, AWS TGW, AWS VPC, and GCP): Advanced Configuration > Blocked Service

Further configuration details can be found in the How-to CE Site deployment guides based on Site type.

Controlling network access

F5 recommends that customers limit the exposure of administrative IP & ports of F5 Distributed Cloud Customer Edge (CE) node to only trusted and allowed IP addresses or IP ranges. Doing so will control access to the following F5 Distributed Cloud CE node administrative services:

• Configuration Utility
• SSH/CE CLI
• Any associated virtual K8s workloads

Restricting management access to F5 Distributed CE node configuration utility and SSH/CLI to known or trusted host and clients. This can be done through organizational, or network-based deployment security controls.

Monitoring login attempts

F5 strongly recommends that customers closely monitor login attempts to F5 Distributed Cloud CE nodes. You can set up log streaming with SIEM tools as noted in the following documentation for further auditing controls: Configure Log Streaming.

Maintain current CE software

F5 strongly recommends that customers maintain current supported software versions. CE software release with support validity can be found at the following resource link: Node Operating System and Software Changelogs

Additional information

For information about how to further secure and manage F5 Distributed Cloud CE nodes, refer to the following:

• General documentation
• How-to CE Site deployment guides
• CE Site management

---